|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Australian Federal Police - Platypus Journal/Magazine |
Protecting the national information infrastructure
IQPC CYBER-CRIME CONFERENCE
SYDNEY, NOVEMBER 13, 2000
Peter Ford
First Assistant Secretary
Information and Security Law Division
Attorney-General's Department
Australian policy on the protection of the National Information Infrastructure (NII) was announced by the Attorney-General on August 26, 1999. As in the US, the NII is conceived of as comprising essential services such as telecommunications, banking and finance, transport and distribution, energy and utilities, information services and critical government services. In formulating this approach, we were very greatly assisted by having had before us the policy initiatives that have been taken in the US, the UK and Canada.
To protect the National Information Infrastructure, the Government has adopted a five point strategy intended to:
• develop cooperative arrangements between the public and private sectors;
• integrate electronic and physical protective security and response arrangements;
• encourage further development of a response capability in both the private and public sectors;
• build a threats and vulnerability data base; and
• develop review arrangements.
We have now been given $2 million in the budget for the following purposes:
a. the collection and analysis of information and the issue of threat assessments;
b. development of a capability to detect and respond to information attacks;
c. development of an incident reporting system;
d. maintenance and development of current capabilities to analyse vulnerabilities and progressively improve protective security; and
e. coordination of these activities.
Generally speaking, the Australian Secret Intelligence Organisation (ASIO) has been given the lead in the collection and analysis of information and the issue of threat assessments, the Australian Federal Police (AFP) in developing a capability to detect and respond to attacks, the Defence Signals Directorate (DSD) in the analysis of vulnerabilities and in progressively improving protective security and the Attorney-General's Department in the development of an incident reporting system and in the coordination role.
To accomplish these tasks ASIO, DSD and the Attorney-General's Department have each received $600,000 and the AFP $200,000. The basis upon which these amounts were estimated is set out in the Report of the Inter-Departmental Committee on Protection of the National Information Infrastructure of December 1999.
The first and fundamental part of the Government's strategy is to build cooperative arrangements between the public and private sectors. Because much of the NII, and much of the technical expertise required for its operation, is in the private sector, cooperation is essential to formulating the necessary framework of protective security and response capabilities.
For this reason, the first plank in the strategy has been to establish the Consultative Industry Forum, comprising representatives of all the constituent parts of the NII. The forum meets quarterly in Sydney and is jointly chaired by the Attorney-General's Department and a private sector representative, currently the Australian Computer Emergency Response Team (AusCERT) based at the University of Queensland.
The Government approach to protecting the NII is on e of coordination rather than regulation. However, the Government sees itself as well placed to make links between what may seem totally unconnected attacks on individual information systems. It can also contribute significant technical expertise to complement that in the private sector.
Secondly, the Government sees it as important to integrate the NII protection measures with the well established physical protective security and response arrangements that are coordinated by the Attorney-General's Department. Under these arrangements, facilities such as oil wells and some power utilities are classified as ‘Vital National Installations' and are given an enhanced level of protection. Facilities of this kind are seen as essential to society's well-being.
The information infrastructure is in exactly the same position. Integration of the protective security arrangements does not necessarily mean that the two kinds of infrastructure must be protected in the same way, or by the same agencies, but it does mean that the same principles may apply to their protection.
The third part of the strategy is to encourage further development of a private sector response capability and to improve the public sector's capability. AusCERT is recognised as having particular expertise in this area and, in the public sector, the Defence Signals Directorate can give valuable assistance to Commonwealth agencies responding to an attack of this nature.
Part of the arrangements adopted by the Government will be the coordination of the development of response capabilities in both the public and the private sectors.
In addition, both sectors will need to develop exercise programs to test the effectiveness of existing response capabilities.
Next, it is recognised that Australia needs to build a threat and vulnerability database. To this point we have discussed the nature of the threats to information systems and, within the Consultative Industry Forum, have heard a number of presentations on the subject from visiting experts on information infrastructure protection.
One of the important tasks that needs to be carried out is to develop a database of reported incidents. Currently, we simply do not know how many attacks there may have been.
Another important issue for the Forum to address is whether to request relevant agencies to analyse the vulnerability of the information infrastructure considered as a national entity. Once we have reliable information of this kind we will be in a better position to shape our policy to fit particular national requirements.
The final component of the Government's strategy is to keep the national protective and response arrangements under review so we can adjust to developments in technology and changes in threat levels. Administrative arrangements need to be constantly monitored and adjusted to ensure they meet the desired objectives.
During the East Timor crisis last year, there were press reports of a planned attack on the Indonesian information infrastructure by independence groups in the event of a failure to implement a vote for East Timorese independence. The Attorney-General announced that any attack of this kind made from an Australian computer would be an offence against the Australian Crimes Act and would be dealt with accordingly. In respect of an attack on our own infrastructure, we would expect a similar response from all countries with which we have friendly relations.
In this connection, last year the AFP established a 24 hour ‘hot-line' with the FBI, and through it, G8 countries to investigate computer offences online as they occur. Participation in this network links Australia not only to the G8 countries, but also to all other countries with which the G8 have established similar arrangements. The AFP further developed these contacts at an International Hi-Tech Crime and Forensic Conference in the UK in October last year.
The Consultative Industry Forum is the linchpin of the arrangements that the Government has established to better protect the NII.
The Attorney-General's Department, in consultation with other government agencies through an inter-departmental committee, is developing details of a protective and response framework to support further initiatives in this area. The report prepared by the inter-departmental committee, which was released on 26 August 1999, recommends a number of possibilities. Small though they are, the forum's current activities are the starting point in building better arrangements to protect the NII.
An obvious first step is to raise awareness. Despite increasing publicity about the Internet and electronic commerce and their potential security problems, there is still little awareness in Australia of threats and vulnerabilities or of defensive measures required to meet them. In addition, many organisations are not aware that their operations are even part of the NII. The forum has agreed that steps must be taken to raise awareness levels through education campaigns, possibly using the Y2K awareness campaign as a model. It will, however, be important to ensure that campaigns modelled on the Y2K campaign do not discourage people from adopting new technologies. Any campaign must highlight the need to balance security effectiveness with economic advantage. This is a classic case of risk management.
Awareness raising should be accompanied by appropriate training in a range of areas including risk management, protective security and contingency planning.
Such training will need to be directed at all elements of an organisation from senior management down. Training options, ranging from in-house training to academic courses or commercial offerings already exist. The problem is, however, that, in many cases organisations are unable to assess the quality of these options. Both the Government and the forum can initiate development of an accreditation process for security courses.
It is also recognised that the private sector must be involved in an incident reporting process, in receiving advice from government security agencies and in participating in crisis management arrangements. This raises issues concerning the measures the private sector would normally take for the protection of its own information and those that the Government expects the private sector to take for the protection of sensitive government information.
The first is the requirement to choose a suitable vulnerability analysis team. The second is that of liability for damage during testing. Finally, there is the issue of the legality of such testing, especially where a third party's data or system may be directly or indirectly involved. Vulnerability analysis is not a technique to approach lightly and detailed legal advice may be needed before undertaking it.
In relation to crisis management, the difficulties are equally significant. Attacks on the NII will involve methodologies and technologies different from those of a physical attack. The coordination of response arrangements will, however, have some similarities with the coordination of responses to a physical attack and existing arrangements can form a basis for an information attack response capability.
There is also a need to develop more wide ranging response capabilities to protect the interests of society as a whole. Response arrangements need to be able to draw on the investigative, intelligence and forensic capabilities of law enforcement and national security agencies. It is acknowledged that our strategic approach must address ways to coordinate these capabilities. The arrangements may need to be based on the coordination arrangements that are already in place for handling hostile attacks from either foreign powers or politically motivated groups.
Some elements of the NII such as health, emergency services and some transport services are operated by State and Territory governments. In addition, they have considerable expertise to contribute in the areas of both protection and response capabilities. With this in mind, we have initiated discussions with the States as to how best to draw on that expertise.
Part VIA of the Crimes Act 1914 creates a number of offences relating to computers. While most of the provisions are intended to protect ‘Commonwealth computers', s.76E prohibits any activity utilising services provided by a telecommunications carrier (ie, any hacking activity) which:
a. destroys, erases or alters data stored in, or inserts data into, a computer;
b. interferes with, or interrupts or obstructs the lawful use of, a computer; or
c. impedes or prevents access to, or impairs the usefulness or effectiveness of, data stored in a computer.
There are also State and Territory provisions dealing with such conduct.
The denial of service attacks on the major Internet portals AOL and Yahoo in February highlight the vulnerability of any business which relies on electronic communications. The immobilisation of electronic commerce portals can vary from an act of senseless vandalism to a concerted effort to gain some competitive advantage. However, existing State and Territory offences do not deal with this at all well because they were drafted at the end of the 1980s, prior to the electronic communications revolution and when the policy maker's concept of computer crime was that everything that can happen with a computer will occur within the strange little white box. To address this problem governments have developed model offences which were released by Senator Vanstone as part of a Model Criminal Code discussion paper that specifically deals with these attacks. The ‘unauthorised impairment of electronic communications' offence carries a maximum penalty of 10 years imprisonment and targets those who intentionally impair electronic communications to or from a computer without authorisation.
The final report of the Model Criminal Code Officers Committee on the proposed offences is close to being completed and will be released this year. At the request of Senator Vanstone, the Standing Committee of Attorneys-General have resolved to give the reform of computer offences priority. Indeed, the New South Wales Attorney-General has publicly announced his State will be implementing the model computer offences as soon as the report is completed. It is recognised that it is critical that the States and Territories and the Commonwealth should enact consistent offences. At the same time, Australia will keep a close eye on developments with the draft Council of Europe Cyber Crime Convention which is being drafted in an effort to develop a common international approach. So far as is possible, the model Australian offences will be consistent with that approach, though we clearly cannot afford to delay implementation of the new offences.
Within the OECD, the Working Party on Information Security and Privacy, which Australia chairs, has undertaken a review of the 1992 OECD Security Guidelines to make them more relevant to today's environment of interconnected and interdependent information systems.
In the United States, the President has published a National Plan for Information Systems Protection (Version 1) which comprises 10 programs as follows:
Identify Critical Infrastructure Assets and Shared Interdependencies and Address Vulnerabilities.
Detect Attacks and Unauthorised Intrusions.
Develop Robust Intelligence and Law Enforcement Capabilities to Protect Critical Information Systems, Consistent with the Law.
Share Attack Warnings and Information in the Timely Manner.
Create Capabilities for Response, Recons-titution, and Recovery.
Enhance Research and Development in Support of Programs 1-5.
Train and Employ Adequate Numbers of Information Security Specialists.
Outreach to Make Americans Aware of the Need for Improved Cyber-Security.
Adopt Legislation and Appropriations in Support of Programs 1-8.
In Every Step and Component of the Plan, Ensure the Full Protection of American Citizens' Civil Liberties, Their Rights to Privacy, and Their Rights to the Protection of Proprietary Data.
The United Kingdom has set up a National Infrastructure Security Co-ordination Centre the functions of which are to:
• identify critical services, IT systems supporting them and the organisations responsible;
• determine the threshold above which services are so critical that Government needs to be involved;
• coordinate responses to attacks against critical services;
• identify threats and vulnerabilities; and
• share information with owners of the Critical National Infrastructure.
In Canada, a task force has been developing a strategic plan over the past six months which is likely to focus on:
• creating a trusted and secure electronic business environment;
• protecting the viability and continuity of the Canadian information infrastructure;
• protecting all classified information;
• migrating information systems to electronic key management; and
• delivering effective electronic business management and support services.
The similarities and differences between these various approaches are instructive. Canadian concerns are particularly interesting given the similar issues arising in Australia. The basic approach of each country is to identify which services are critical to public interests, determine the threshold above which services are so critical that government needs to be involved and to set up protective security and response arrangements appropriate to the particular circumstances.
Australia has been actively engaged with these countries and with the OECD in exploring common interests in these areas and will continue in this activity. Current developments may be monitored on the Attorney-General's Department website atwww.law.gov.au.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/AUFPPlatypus/2001/8.html